I have answered my own question. Approximately line 895 of config.c ...
/* ask and fail if no client certificate */
SSL_CTX_set_verify(res->ctx, SSL_VERIFY_PEER |
SSL_CTX_set_verify_depth(res->ctx, atoi(lin +
A coworker familiar with OpenSSL pointed out that "SSL_CTX_set_verify_depth" is
an OpenSSL function. After reading the OpenSSL documentation it became clear
what the Pound depth parameter was doing.
"SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up to
which depth certificates in a chain are used during the verification procedure.
If the certificate chain is longer than allowed, the certificates above the
limit are ignored. Error messages are generated as if these certificates would
not be present, most likely a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will
be issued. The depth count is ``level 0:peer certificate'', ``level 1: CA
certificate'', ``level 2: higher level CA certificate'', and so on. Setting the
maximum depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
allowing for the peer certificate and additional 9 CA certificates."
Full documentation can be found here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
Robert, can you please make a small documentation update to pound(8). My
ClientCert 0|1|2|3 depth
Ask for the client's HTTPS certificate: 0 - don't ask (default),
1 - ask, 2 - ask and fail if no certificate was presented, 3 - ask but do
not verify. Depth is the depth of verification for a client
certificate (up to 9). The default depth limit is 9, allowing for the peer
certificate and additional 9 CA certificates that must be verified."
I hope this is helpful for anyone else looking to enable client certificate
From: Chris Morrow [mailto:cmorrow(at)verrus.com]
Sent: Monday, March 01, 2010 1:53 PM
Subject: [Pound Mailing List] ClientCert depth of verification levels
I was unable to find documentation describing exactly what the depth of
verification is doing on the ClientCert parameter. I have a few questions.
1) Does someone have a breakdown of each depth number and what it does? For
example, depth "4" compared to depth "9".
2) Is there a performance hit for each level of additional verification? I
would assume yes, that is why it is broken down so verbosely.
3) What is the recommended parameter if there is a need to force and verify
Example HTTPSListener config...
Cert "certificate file"
ClientCert 2 9
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.